Does the HIPAA Privacy Rule require a covered entity to create an Institutional Review Board (IRB) or Privacy Board before using or disclosing protected health information for research?
No. The IRB or Privacy Board could be created by the covered entity or the recipient researcher, or it could be an independent board. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about Institutional Review and Privacy Boards. Is documentation of Institutional Review Boards (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individuals authorization? No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about Institutional Review and Privacy Boards.
Related Questions
- What are a covered entity’s obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period?
- Under the HIPAA Privacy Rule, may a covered entity contract with a business associate to create a limited data set the same way it can use a business associate to create de-identified data?
- Does the HIPAA Privacy Rule require a covered entity to create an Institutional Review Board (IRB) or Privacy Board before using or disclosing protected health information for research?
